This is a high-level checklist for examining issues involving the Stored Communications Act (SCA), 18 U.S.C. § 2701 et seq., which comprises one of the major components of the Electronic Communication Privacy Act (ECPA). The other major component of the ECPA is the Wiretap Act, 18 U.S.C. § 2510 et seq. The Wiretap Act generally governs when communications (whether electronic, oral, or wire) are “intercept[ed],” while the Stored Communications Act governs access to electronic communications that are “in electronic storage.”

Consider How SCA Issues May Arise

Keep in mind the variety of ways in which SCA issues may arise:

• ✔ SCA compliance. Consider direct liability for violations of the SCA’s provisions.
• ✔ Subpoenas. Keep in mind the limitations on civil subpoena responses due to the SCA.
• ✔ Government investigations. Consider access to stored communications by government investigators.

Is the Technology an Electronic Communication Service or a Remote Computing Service?

Determine the relevant SCA rules for the particular technology involved. Different SCA rules apply depending on whether technology is classified as “electronic communication services” (ECS), “remote computing services” (RCS), both, or neither.

• ✔ Consider whether the technology is an electronic communication service or a remote computing service.In doing so, think about the following issues:
  • Legislation outdated. Recognize that Congress passed the SCA in 1986—before the development of most modern technology. Thus, applying the SCA to today’s technology may be difficult/uncertain.
  • Issues with categorization. Note that some technologies may provide both an electronic communication service and a remote computing service. Some technologies may be neither.

Determine Whether Communications Were Stored Electronically

If the technology is an electronic communications service, consider whether the communications involved were in electronic storage.

• ✔ Messages pending delivery. Messages pending delivery are generally held to be in electronic storage. See, e.g., Quon v. Arch Wireless Operating Co., Inc., 529 F.3d 892 (9th Cir. 2008), rev’d on other grounds, 560 U.S. 746 (2010).
• ✔ Delivered messages. Courts have reached varying results regarding delivered messages. Compare, e.g., Theofel v. Farey-Jones, 359 F.3d 1066, 1076–77 (9th Cir. 2003) (holding delivered messages were in electronic storage for purposes of the SCA) with United States v. Weaver, 636 F. Supp. 2d 769, 771–73 (C.D. Ill. 2009) (holding previously opened messages not in electronic storage for purposes of the SCA).
• ✔ Items stored on personal devices. Courts generally conclude that items stored on personal devices are not in electronic storage. See, e.g., In re DoubleClick, Inc. Privacy Litig., 154 F. Supp. 2d 497, 511–12 (S.D.N.Y. 2001); Garcia v. City of Laredo, 702 F.3d 788 (5th Cir. 2012).

Consider Potential Defenses or Exceptions to Liability

• ✔ Authorization not exceeded. If the policy or procedures in place entitled the accessing individual to see the information, courts will generally not find SCA liability. See 18 U.S.C. § 2701(c); Sherman & Co. v. Salton Maxim Housewares, Inc., 94 F. Supp. 2d 817, 821 (E.D. Mich. 2000) (rejecting SCA claim because individuals had authorization at the time of access).
• ✔ Permissible disclosures of communication contents. The SCA allows remote computing services or electronic communication services to disclose the contents of a communication in circumstances specifically addressed in 18 U.S.C. § 2702(b).
• ✔ Permissible disclosures of information concerning a subscriber or customer. The SCA allows providers of a remote computing service or electronic communication service to disclose information concerning a subscriber to, or customer of, such service in circumstances specifically addressed in 18 U.S.C. § 2702(c).
• ✔ Court orders, warrants, subpoenas, statutory authorization, or certifications. The SCA has an exception for electronic communication service providers who provide information in response to a legal mandate pursuant to 18 U.S.C. § 2703(e) or 18 U.S.C. § 2702(c)(4).
• ✔ Good faith reliance on legal requests. There is generally no SCA liability for individuals or entities relying in good faith on a court order or law enforcement request for access to stored communications. See 18 U.S.C. § 2707(e).

Consider Potential Liability

Consider the following types of potential liability under the SCA:

• ✔ Civil remedies.A civil plaintiff can recover:
  • Actual/statutory damages.A civil plaintiff can recover either actual or statutory damages. See 18 U.S.C. § 2707.
    • Note that some courts hold that plaintiffs must prove at least some actual damage to recover statutory damages. See, e.g., Van Alstyne v. Elec. Scriptorium, Ltd., 560 F.3d 199, 206 (4th Cir. 2009).
  • Punitive damages. The SCA provides for punitive damages. See 18 U.S.C. § 2707.
• ✔ Aiding/abetting liability. Courts have held that the SCA does not impose civil liability under an aiding and abetting theory. See, e.g., Council on American–Islamic Rels. Action Network, Inc. v. Gaubatz, 891 F. Supp. 2d 13, 26–27 (D.D.C. 2012).
• ✔ Criminal liability. The SCA also includes potential criminal liability for violations of its provisions. See 18 U.S.C. § 2707.

Research Other Potentially Applicable Laws

The following laws may also be applicable:

• ✔ The Wiretap Act, 18 U.S.C. § 2510 et seq.
• ✔ The Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030. For information on the CFAA, see Cybersecurity Measures to Protect Employers’ Confidential Information and Trade Secrets and Counterclaims or Separate Lawsuits against Plaintiff Employees.
• ✔ The Pen Register Act, 18 U.S.C. § 3121 et seq.
• ✔ The Cybersecurity Act of 2015, 6 U.S.C. § 1501 et seq.
• ✔ State tort laws concerning privacy

Checklist provided by Michael E. Lackey and Oral D. Pottinger at Mayer Brown LLP

To find this article in Lexis Practice Advisor, follow this research path:

RESEARCH PATH: Labor & Employment > Employment Policies > Company Property and Electronic Information > Checklists

Related Content